From 3b2e843e625ab989c6491694f1bd7a5e895d88cc Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Tue, 18 Feb 2014 19:40:27 +0100 Subject: haproxy-devel, use same checks to show if acl's are used and for writing the configuration file --- config/haproxy-devel/haproxy.inc | 72 +++++++++++++++++------------- config/haproxy-devel/haproxy_listeners.php | 4 -- 2 files changed, 41 insertions(+), 35 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index d039b55a..24be5363 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -898,10 +898,8 @@ function haproxy_writeconf($configpath) { $default_backend = ""; $i = 0; foreach ($bind['config'] as $frontend) { - $a_acl=&$frontend['ha_acls']['item']; - if(!is_array($a_acl)) - $a_acl=array(); - + $a_acl = &get_frontend_acls($frontend); + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); // Create different pools if the svrport is set @@ -913,31 +911,6 @@ function haproxy_writeconf($configpath) { $a_pendingpl[$poolname]['name'] = $poolname; $a_pendingpl[$poolname]['frontend'] = $frontend; } - - if (strtolower($bind['type']) == "http" && $frontend['ssloffload']) { - $aclname = "SNI_" . $poolname; - if ($frontend['ssloffloadacl']){ - $cert = lookup_cert($frontend['ssloffloadcert']); - $cert_cn = cert_get_cn($cert['crt']); - $descr = haproxy_escape_acl_name($cert['descr']); - $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); - unset($cert); - } - if ($frontend['ssloffloadacladditional']){ - $certs = $frontend['ha_certificates']['item']; - if (is_array($certs)){ - if (count($certs) > 0){ - foreach($certs as $certref){ - $cert = lookup_cert($certref['ssl_certificate']); - $cert_cn = cert_get_cn($cert['crt']); - $descr = haproxy_escape_acl_name($cert['descr']); - $a_acl[] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); - unset($cert); - } - } - } - } - } // Write this out once, and must be before any backend config text if (($default_backend == "" || $frontend['secondary'] != 'yes') && count($a_acl) == 0 ) { @@ -947,8 +920,8 @@ function haproxy_writeconf($configpath) { // combine acl's with same name to allow for 'combined checks' to check for example hostname and fileextension together.. $a_acl_combine = array(); foreach ($a_acl as $entry) { - $name = $entry['name']; - $a_acl_combine[$name][] = $entry; + $name = $entry['ref']['name']; + $a_acl_combine[$name][] = $entry['ref']; } foreach ($a_acl_combine as $a_usebackend) { @@ -1338,6 +1311,43 @@ function get_frontend_acls($frontend) { $result[] = $acl_item; } } + + $mainfrontend = get_primaryfrontend($frontend); + if (strtolower($mainfrontend['type']) == "http" && $mainfrontend['ssloffload']) { + $a_acl = &$frontend['ha_acls']['item']; + if(!is_array($a_acl)) + $a_acl=array(); + + $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); + $aclname = "SNI_" . $poolname; + if ($frontend['ssloffloadacl']){ + $cert = lookup_cert($frontend['ssloffloadcert']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + unset($cert); + $acl_item = array(); + $acl_item['descr'] = "Certificate ACL ".$cert_cn; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + $result[] = $acl_item; + } + if ($frontend['ssloffloadacladditional']){ + $certs = $frontend['ha_certificates']['item']; + if (is_array($certs)){ + if (count($certs) > 0){ + foreach($certs as $certref){ + $cert = lookup_cert($certref['ssl_certificate']); + $cert_cn = cert_get_cn($cert['crt']); + $descr = haproxy_escape_acl_name($cert['descr']); + unset($cert); + $acl_item = array(); + $acl_item['descr'] = "Additional certificate ACLs: ".$cert_cn; + $acl_item['ref'] = array('name' => "{$aclname}_{$descr}",'expression' => 'host_matches', 'value' => $cert_cn); + $result[] = $acl_item; + } + } + } + } + } return $result; } diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index 2a1f12e6..ea289b1f 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -169,10 +169,6 @@ include("head.inc"); foreach ($acls as $acl) { $isaclset .= " " . $acl['descr']; } - if ($frontend['ssloffloadacl']) - $isaclset .= " " . "Certificate ACL"; - if ($frontend['ssloffloadacladditional']) - $isaclset .= " " . "Additional certificate ACLs"; if ($isaclset) echo ""; -- cgit v1.2.3 From 02f1cef4b3a8a980e204b895590c7a4c8509aceb Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Tue, 18 Feb 2014 20:21:05 +0100 Subject: haproxy-devel, add some extra 'help' text and correction on source formating tabs --- config/haproxy-devel/haproxy_global.php | 30 ++++++------- config/haproxy-devel/haproxy_listeners_edit.php | 9 ++-- config/haproxy-devel/haproxy_pool_edit.php | 57 +++++++++++++++++++++---- 3 files changed, 67 insertions(+), 29 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index 8264558f..c9a25eee 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -161,20 +161,6 @@ function enable_change(enable_change) {
- - - - - - - - @@ -357,7 +343,8 @@ function enable_change(enable_change) { @@ -367,6 +354,19 @@ function enable_change(enable_change) {   + + + + + + + diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index bd0f93d5..09af1c5b 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -57,8 +57,6 @@ function haproxy_js_acl_select($mode) { return $seltext; } -$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; - if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) { $config['installedpackages']['haproxy']['ha_backends']['item'] = array(); } @@ -445,7 +443,7 @@ $interfaces = haproxy_get_bindable_interfaces(); @@ -546,7 +544,8 @@ $interfaces = haproxy_get_bindable_interfaces(); @@ -597,7 +596,7 @@ $interfaces = haproxy_get_bindable_interfaces(); @@ -459,6 +496,7 @@ foreach($simplefields as $field){ @@ -494,7 +532,8 @@ foreach($simplefields as $field){ @@ -629,10 +668,10 @@ set by the 'retries' parameter. - + - - + + - + - + - + - + + + + + + + + + diff --git a/config/haproxy-devel/haproxy_stats.php b/config/haproxy-devel/haproxy_stats.php index 8ad04c92..752bd8d7 100644 --- a/config/haproxy-devel/haproxy_stats.php +++ b/config/haproxy-devel/haproxy_stats.php @@ -65,7 +65,8 @@ if (isset($_GET['haproxystats']) || isset($_GET['scope']) || (isset($_POST) && i } require_once("guiconfig.inc"); if (isset($_GET['showsticktablecontent'])){ - header("Refresh: 2"); + if (is_numeric($pconfig['localstats_sticktable_refreshtime'])) + header("Refresh: {$pconfig['localstats_sticktable_refreshtime']}"); } $shortcut_section = "haproxy"; require_once("haproxy.inc"); @@ -163,7 +164,7 @@ include("head.inc"); if (isset($_GET['showsticktablecontent'])){ $sticktablename = $_GET['showsticktablecontent']; echo "
Recalculate certificate chain.
  - - -
- This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not - always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. -
General settings
  - + +
NOTE: paste text into this box that you would like to pass thru in the global settings area.
Recalculate certificate chain.
  + + (Other changes on this page will be lost) +
+ This can be required after certificates have been created or imported. As pfSense 2.1.0 currently does not + always keep track of these dependencies which might be required to create a proper certificate chain when using SSLoffloading. +
Configuration synchronization
External port size="10" maxlength="500" /> -
The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,443
+
The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,8000
Advanced pass thru - + +
NOTE: paste text into this box that you would like to pass thru.
Advanced ssl options - maxlength="64" /> + />
NOTE: Paste additional ssl options(without commas) to include on ssl listening options.
some options: force-sslv3, force-tlsv10 force-tlsv11 force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 no-tlsv12 no-tls-tickets diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 9b64df87..86b325c1 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -308,6 +308,18 @@ foreach($simplefields as $field){ } } } + function toggleCSSdisplay(cssID) + { + var ss = document.styleSheets; + for (var i=0; i
Server list + + Toggle serverlist help. ">help + + + +
+ Mode: Active: server will be used normally
+ Backup: server is only used in load balancing when all other non-backup servers are unavailable
+ Disabled: server is marked down in maintenance mode
+ Inactive: server will not be available for use +
+ Name: Used to as a name for the server in for example the stats
EXAMPLE: MyWebServer +
+ Address: IP or hostname(only resolved on start-up.)
EXAMPLE: 192.168.1.22 , fe80::1000:2000:3000:4000%em0 , WebServer1.localdomain +
+ Port: The port of the backend.
EXAMPLE: 80 or 443
+
+ SSL: Is the backend using SSL (commonly with port 443)
+
+ Weight: A weight between 0 and 256, this setting can be used when multiple servers on different hardware need to be balanced with with a different part the traffic. A server with weight 0 wont get new traffic. Default if empty: 1 +
+ Cookie: the value of the cookie used to identify a server (only when cookie-persistence is enabled below) +
+ Advanced: More advanced settings like rise,fall,error-limit,send-proxy and others can be configured here.
For a full list of options see the HAProxy manual: Server and default-server options +
Transparent ClientIP + WARNING Activating this option will load rules in IPFW and might interfere with CaptivePortal and possibly other services due to the way server return traffic must be 'captured' with a automatically created fwd rule. This also breaks directly accessing the (web)server on the ports configured above. Also a automatic sloppy pf rule is made to allow HAProxy to server traffic.
onclick='updatevisibility();' /> Use Client-IP to connect to backend servers.
@@ -479,7 +517,7 @@ foreach($simplefields as $field){ For proper workings this requires the reply's traffic to pass through pfSense by means of correct routing. (uses the option "source 0.0.0.0 usesrc clientip")

- Note : When this is enabled for a single backend HAProxy will run as 'root', which reduces security. + Note : When this is enabled for a single backend HAProxy will run as 'root' instead of chrooting to a lower privileged user, this reduces security in case of a a bit.
Backend pass thru - + +
NOTE: paste text into this box that you would like to pass thru. Applied to the backend section.
 
Cookie persistence
Cookie Enabled onclick='updatevisibility();' /> @@ -664,7 +703,7 @@ set by the 'retries' parameter.
Cookie Cachable @@ -673,11 +712,11 @@ set by the 'retries' parameter.
 
Stick-table persistence
These options are used to make sure seperate requests from a single client go to the same backend. This can be required for servers that keep track of for example a shopping cart.
Stick tables Date: Mon, 24 Feb 2014 23:40:52 +0100 Subject: haproxy-devel, don't keep reference to original variable using & --- config/haproxy-devel/haproxy.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 24be5363..e7d8f420 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -898,7 +898,7 @@ function haproxy_writeconf($configpath) { $default_backend = ""; $i = 0; foreach ($bind['config'] as $frontend) { - $a_acl = &get_frontend_acls($frontend); + $a_acl = get_frontend_acls($frontend); $poolname = $frontend['backend_serverpool'] . "_" . strtolower($frontend['type']); -- cgit v1.2.3 From ee8adaa054b094fb0ced6934bf768a2643a01d7a Mon Sep 17 00:00:00 2001 From: Luar Roji Date: Thu, 27 Feb 2014 13:15:20 -0800 Subject: Fixes problem stopping haproxy We've experienced problems stopping haproxy from web gui. From command line it said that haproxy was not found. I found that the path to the executable was not right, and fixed it. --- config/haproxy-devel/haproxy.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index d039b55a..81de89f1 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -189,7 +189,7 @@ function haproxy_custom_php_install_command() { name="haproxy" rcvar=`set_rcvar` -command="/usr/local/bin/haproxy" +command="/usr/pbi/haproxy-devel-`uname -m`/sbin/haproxy" haproxy_enable=\${haproxy-"YES"} start_cmd="haproxy_start" -- cgit v1.2.3 From 29f8c0f3d4ebbf977768f57bff8048387b60ed3b Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Fri, 28 Feb 2014 16:39:18 +0100 Subject: haproxy-devel, dont reload firewall rules every 2 minutes. --- config/haproxy-devel/haproxy.inc | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index d039b55a..9bc0dd80 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -1137,14 +1137,6 @@ function haproxy_check_run($reload) { $a_global = &$config['installedpackages']['haproxy']; $configpath = "{$g['varetc_path']}/haproxy"; - exec("/usr/bin/limits -n 300014"); - - if(use_transparent_clientip_proxying()) { - filter_configure(); - load_ipfw_rules(); - } else - mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); - if(isset($a_global['enable'])) { if (isset($a_global['carpdev'])) { $status = get_carp_interface_status($a_global['carpdev']); @@ -1163,6 +1155,12 @@ function haproxy_check_run($reload) { } else if ($reload == 0) return (0); + if(use_transparent_clientip_proxying()) { + filter_configure(); + load_ipfw_rules(); + } else + mwexec("/usr/local/sbin/ipfw_context -d haproxy", true); + if (haproxy_is_running()) { if (isset($a_global['terminate_on_reload'])) $sf_st = "-st";//terminate old process as soon as the new process is listening -- cgit v1.2.3 From 04205b537352d88afd2f2dd0be9ab1944e97160d Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Thu, 6 Mar 2014 00:28:56 +0100 Subject: haproxy-devel, make stats-tab refresh timers configurable. --- config/haproxy-devel/haproxy.inc | 3 ++- config/haproxy-devel/haproxy_global.php | 26 +++++++++++++++++++++++++- config/haproxy-devel/haproxy_stats.php | 5 +++-- 3 files changed, 30 insertions(+), 4 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 9bc0dd80..a34b20d8 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -733,7 +733,8 @@ function haproxy_writeconf($configpath) { fwrite ($fd, "\tbind 127.0.0.1:$localstatsport\n"); fwrite ($fd, "\tmode http\n"); fwrite ($fd, "\tstats enable\n"); - fwrite ($fd, "\tstats refresh 10\n"); + if (is_numeric($a_global['localstats_refreshtime'])) + fwrite ($fd, "\tstats refresh {$a_global['localstats_refreshtime']}\n"); fwrite ($fd, "\tstats admin if TRUE\n"); fwrite ($fd, "\tstats uri /haproxy_stats.php?haproxystats=1\n"); fwrite ($fd, "\ttimeout client 5000\n"); diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index 8264558f..1419e756 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -36,6 +36,8 @@ require_once("haproxy_utils.inc"); require_once("globals.inc"); require_once("pkg_haproxy_tabs.inc"); +$simplefields = array('localstats_refreshtime','localstats_sticktable_refreshtime'); + if (!is_array($config['installedpackages']['haproxy'])) $config['installedpackages']['haproxy'] = array(); @@ -68,7 +70,13 @@ if ($_POST) { $input_errors[] = "The maximum number of connections should be numeric."; if ($_POST['localstatsport'] && (!is_numeric($_POST['localstatsport']))) - $input_errors[] = "The local stats port should be numeric."; + $input_errors[] = "The local stats port should be numeric or empty."; + + if ($_POST['localstats_refreshtime'] && (!is_numeric($_POST['localstats_refreshtime']))) + $input_errors[] = "The local stats refresh time should be numeric or empty."; + + if ($_POST['localstats_sticktable_refreshtime'] && (!is_numeric($_POST['localstats_sticktable_refreshtime']))) + $input_errors[] = "The local stats sticktable refresh time should be numeric or empty."; /*if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) $input_errors[] = "Synchost1 needs to be an IPAddress."; @@ -93,6 +101,8 @@ if ($_POST) { $config['installedpackages']['haproxy']['localstatsport'] = $_POST['localstatsport'] ? $_POST['localstatsport'] : false; $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; + foreach($simplefields as $stat) + $config['installedpackages']['haproxy'][$stat] = $_POST[$stat]; touch($d_haproxyconfdirty_path); write_config(); } @@ -114,6 +124,8 @@ $pconfig['carpdev'] = $config['installedpackages']['haproxy']['carpdev']; $pconfig['localstatsport'] = $config['installedpackages']['haproxy']['localstatsport']; $pconfig['advanced'] = base64_decode($config['installedpackages']['haproxy']['advanced']); $pconfig['nbproc'] = $config['installedpackages']['haproxy']['nbproc']; +foreach($simplefields as $stat) + $pconfig[$stat] = $config['installedpackages']['haproxy'][$stat]; // defaults if (!$pconfig['logfacility']) @@ -351,6 +363,18 @@ function enable_change(enable_change) { Leave this setting empty to remove the "HAProxyLocalStats" item from the stats page and save a little on recources.
Internal stats refresh rate + size="10" maxlength="5" /> Seconds, Leave this setting empty to not refresh the page automatically. EXAMPLE: 10 +
Sticktable page refresh rate + size="10" maxlength="5" /> Seconds, Leave this setting empty to not refresh the page automatically. EXAMPLE: 10 +
Global Advanced pass thru
"; - echo "TESTJe
"; + echo "Contents of the sticktable: $sticktablename
"; $res = haproxy_socket_command("show table $sticktablename"); foreach($res as $line){ echo "
".print_r($line,true); -- cgit v1.2.3 From 9cabf2d6c98b88a7cc704a04c2eaf9992e903819 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Thu, 6 Mar 2014 00:50:03 +0100 Subject: haproxy-devel, -fix sslcheckbox that was automatically turning on when editing -allow 2nd clones to be linked to the original primary frontend when making them shared --- config/haproxy-devel/haproxy_listeners_edit.php | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index bd0f93d5..47fb3b03 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -80,6 +80,12 @@ if (isset($_GET['dup'])) $id = get_frontend_id($id); +if (!is_numeric($id)) +{ + //default value for new items. + $pconfig['ssloffloadacl'] = "yes"; +} + $servercerts = get_certificates_server(); $fields_sslCertificates=array(); @@ -227,17 +233,13 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -if (!$id) -{ - //default value for new items. - $pconfig['ssloffloadacl'] = "yes"; -} - $closehead = false; $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); -$primaryfrontends = get_haproxy_frontends($pconfig['name']); +if (!isset($_GET['dup'])) + $excludefrontent = $pconfig['name']; +$primaryfrontends = get_haproxy_frontends($excludefrontent); $interfaces = haproxy_get_bindable_interfaces(); ?> -- cgit v1.2.3 From 9ea8f935bcdce2e99462b04c65dc242755e2d88c Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Thu, 13 Mar 2014 16:05:14 +0100 Subject: haproxy-devel, handle carp master/backup plugin event for faster response when the haproxy process needs to be started --- config/haproxy-devel/haproxy.inc | 11 +++++++++++ config/haproxy-devel/haproxy.xml | 5 +++++ 2 files changed, 16 insertions(+) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 9bc0dd80..c3ccc498 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -1131,6 +1131,17 @@ function load_ipfw_rules() { mwexec("/sbin/ipfw -x $ipfw_zone_haproxy -q {$g['tmp_path']}/ipfw_{$ipfw_zone_haproxy}.haproxy.rules", true); } +function haproxy_plugin_carp($pluginparams) { + // called by pfSense when a CARP interface changes its state (called multiple times when multiple interfaces change state) + // $pluginparams['type'] always 'carp' + // $pluginparams['event'] either 'rc.carpmaster' or 'rc.carpbackup' + // $pluginparams['interface'] contains the affected interface + $type = $pluginparams['type']; + $event = $pluginparams['event']; + $interface = $pluginparams['interface']; + haproxy_check_run(0); +} + function haproxy_check_run($reload) { global $config, $g, $haproxy_run_message; diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml index bbc32575..25949392 100644 --- a/config/haproxy-devel/haproxy.xml +++ b/config/haproxy-devel/haproxy.xml @@ -58,6 +58,11 @@ haproxy The Reliable, High Performance TCP/HTTP Load Balancer + + + plugin_carp + + installedpackages->haproxy->config /usr/local/pkg/ -- cgit v1.2.3 From 7bbd26c64a1dd7dcf7fc98971032a5bfbd686bc6 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Thu, 13 Mar 2014 16:45:59 +0100 Subject: haproxy-devel, corrections for memory requirements and link to 'System Tunables' for high connection counts. --- config/haproxy-devel/haproxy_global.php | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index 8264558f..c860fa38 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -199,11 +199,17 @@ function enable_change(enable_change) {
Sets the maximum per-process number of concurrent connections to X.
NOTE: setting this value too high will result in HAProxy not being able to allocate enough memory.
+

Current memory usage: {$memusage} K.

"; + echo "Current memory usage: {$memusage} kB.
"; ?> + Current 'System Tunables' settings.
+   'kern.maxfiles':
+   'kern.maxfilesperproc':
+

+ Full memory usage will only show after all connections have actually been used. @@ -216,23 +222,29 @@ function enable_change(enable_change) { - - + + - - + + - - + + - - + + + + +
9991888K150 kB
999998032K1.00048 MB
99999950016K10.000488 MB
9999999467M100.0004,8 GB
Calculated for plain HTTP connections,
using ssl offloading will increase this.
+ When setting a high amount of allowed simultaneous connections you will need to add and or increase the following two 'System Tunables' kern.maxfiles and kern.maxfilesperproc. + For HAProxy alone set these to at least the number of allowed connections * 2 + 31. So for 100.000 connections these need to be 200.031 or more to avoid trouble, take into account that handles are also used by other processes when setting kern.maxfiles. +
-- cgit v1.2.3 From 75e58870aea85346fe7b439ff04c5b98b2e7dfb2 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Thu, 13 Mar 2014 18:51:57 +0100 Subject: haproxy-devel, type in var: excludefrontent > excludefrontend --- config/haproxy-devel/haproxy_listeners_edit.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index 47fb3b03..3ea72274 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -238,8 +238,8 @@ $pgtitle = "HAProxy: Frontend: Edit"; include("head.inc"); if (!isset($_GET['dup'])) - $excludefrontent = $pconfig['name']; -$primaryfrontends = get_haproxy_frontends($excludefrontent); + $excludefrontend = $pconfig['name']; +$primaryfrontends = get_haproxy_frontends($excludefrontend); $interfaces = haproxy_get_bindable_interfaces(); ?> -- cgit v1.2.3 From ea49050c536f8480124a3497efce4a31d91e3931 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Thu, 13 Mar 2014 21:28:51 +0100 Subject: haproxy-devel, place lock while starting, to prevent the startup script starting haproxy twice and loosing track of already running pid's. --- config/haproxy-devel/haproxy.inc | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index 9bc0dd80..9b2b5838 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -635,13 +635,11 @@ function write_backend($fd, $name, $pool, $frontend) { function haproxy_configure() { global $g; // reload haproxy - haproxy_writeconf("{$g['varetc_path']}/haproxy"); return haproxy_check_run(1); } function haproxy_check_and_run(&$messages, $reload) { global $g; - $configpath = "{$g['varetc_path']}/haproxy"; $testpath = "{$g['varetc_path']}/haproxy_test"; haproxy_writeconf($testpath); $retval = exec("haproxy -c -V -f $testpath/haproxy.cfg 2>&1", $output, $err); @@ -659,7 +657,6 @@ function haproxy_check_and_run(&$messages, $reload) { $ok = strstr($retval, "Configuration file is valid"); if ($ok && $reload) { global $haproxy_run_message; - haproxy_writeconf($configpath); rmdir_recursive($testpath); $ok = haproxy_check_run(1) == 0; $messages = $haproxy_run_message; @@ -1134,8 +1131,12 @@ function load_ipfw_rules() { function haproxy_check_run($reload) { global $config, $g, $haproxy_run_message; + $haproxylock = lock("haproxy", LOCK_EX); $a_global = &$config['installedpackages']['haproxy']; $configpath = "{$g['varetc_path']}/haproxy"; + + if ($reload) + haproxy_writeconf($configpath); if(isset($a_global['enable'])) { if (isset($a_global['carpdev'])) { @@ -1146,14 +1147,18 @@ function haproxy_check_run($reload) { //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile haproxy_kill(); } + unlock($haproxylock); return (0); } else if (haproxy_is_running() && $reload == 0) { + unlock($haproxylock); return (0); } log_error("Starting haproxy on CARP master."); /* fallthrough */ - } else if ($reload == 0) + } else if ($reload == 0){ + unlock($haproxylock); return (0); + } if(use_transparent_clientip_proxying()) { filter_configure(); @@ -1172,14 +1177,15 @@ function haproxy_check_run($reload) { } foreach($output as $line) $haproxy_run_message .= "
" . htmlspecialchars($line) . "\n"; - return ($errcode); } else { if ($reload && haproxy_is_running()) { //exec("/bin/pkill -F /var/run/haproxy.pid haproxy");//doesnt work for multiple pid's in a pidfile haproxy_kill(); } - return (0); + $errcode = 0; } + unlock($haproxylock); + return ($errcode); } function haproxy_kill($killimmediately = true) { -- cgit v1.2.3 From 0f5097ab454e1458dd7e17eaab4e2cc0f2490056 Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Thu, 13 Mar 2014 21:30:30 +0100 Subject: haproxy-devel, xmlparser needs 'item' for array elements --- config/haproxy-devel/haproxy.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml index 25949392..bf1430b8 100644 --- a/config/haproxy-devel/haproxy.xml +++ b/config/haproxy-devel/haproxy.xml @@ -59,9 +59,9 @@ The Reliable, High Performance TCP/HTTP Load Balancer - + plugin_carp - + installedpackages->haproxy->config -- cgit v1.2.3 From 4505f0c18e3ecf837063d9b9711999cfdd17d12e Mon Sep 17 00:00:00 2001 From: PiBa-NL Date: Fri, 14 Mar 2014 20:40:03 +0100 Subject: haproxy-devel, support for port-aliasses, using htmlspecialchars where needed --- config/haproxy-devel/haproxy.inc | 92 ++++++++++++++++++++++++- config/haproxy-devel/haproxy_listeners.php | 4 +- config/haproxy-devel/haproxy_listeners_edit.php | 14 ++-- config/haproxy-devel/haproxy_pool_edit.php | 8 +-- 4 files changed, 102 insertions(+), 16 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index d039b55a..3dce7e4d 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -158,6 +158,88 @@ $a_sticky_type['stick_rdp_cookie'] = array('name' => 'Stick on RDP-cookie', 'descr' => "Uses a RDP-Cookie send by the mstsc client, note that not all clients send this.", 'cookiedescr' => 'EXAMPLE: msts or mstshash'); +if(!function_exists('group_ports')){ +// function group_ports() is present in pfSense 2.2 in util.inc +/* create ranges of sequential port numbers (200:215) and remove duplicates */ +function group_ports($ports) { + if (!is_array($ports) || empty($ports)) + return; + + $uniq = array(); + foreach ($ports as $port) { + if (is_portrange($port)) { + list($begin, $end) = explode(":", $port); + if ($begin > $end) { + $aux = $begin; + $begin = $end; + $end = $aux; + } + for ($i = $begin; $i <= $end; $i++) + if (!in_array($i, $uniq)) + $uniq[] = $i; + } else if (is_port($port)) { + if (!in_array($port, $uniq)) + $uniq[] = $port; + } + } + sort($uniq, SORT_NUMERIC); + + $result = array(); + foreach ($uniq as $idx => $port) { + if ($idx == 0) { + $result[] = $port; + continue; + } + + $last = end($result); + if (is_portrange($last)) + list($begin, $end) = explode(":", $last); + else + $begin = $end = $last; + + if ($port == ($end+1)) { + $end++; + $result[count($result)-1] = "{$begin}:{$end}"; + } else { + $result[] = $port; + } + } + + return $result; +} +} + +function haproxy_portoralias_to_list($port_or_alias) { + // input: a port or aliasname: 80 https MyPortAlias + // returns: a array of ports and portranges 80 443 8000:8010 + global $config; + $portresult = array(); + if (is_alias($port_or_alias)) { + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name'] == $port_or_alias && preg_match("/port/i", $alias['type'])) { + $ports = explode(' ',$alias['address']); + foreach($ports as $port) { + $portresults = haproxy_portoralias_to_list($port); + $portresult = array_merge($portresult, $portresults); + } + return $portresult; + } + } + } + } else if (is_portrange($port_or_alias)) { + return (array)$port_or_alias; + } else if (is_port($port_or_alias)) { + if (getservbyname($port_or_alias, "tcp")) + return (array)getservbyname($port_or_alias, "tcp"); + if (getservbyname($port_or_alias, "udp")) + return (array)getservbyname($port_or_alias, "udp"); + return (array)$port_or_alias; + } + else + return null; +} + function haproxy_custom_php_deinstall_command() { exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); exec("rm /usr/local/pkg/haproxy*"); @@ -840,9 +922,13 @@ function haproxy_writeconf($configpath) { // Process and add bind directives for ports $ip = haproxy_interface_ip($bind['extaddr']); if ($ip){ - foreach($ports as $port) { - if($port) { - $listenip .= "\tbind\t\t\t$ip:{$port} {$ssl_info} {$advanced_bind}\n"; + foreach($ports as $alias_or_port) { + if($alias_or_port) { + $portsnumeric = group_ports(haproxy_portoralias_to_list($alias_or_port)); + foreach($portsnumeric as $portnumeric) { + $portnumeric = str_replace(":","-",$portnumeric); + $listenip .= "\tbind\t\t\t$ip:{$portnumeric} {$ssl_info} {$advanced_bind}\n"; + } } } } diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index 2a1f12e6..f5d262e0 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -167,7 +167,7 @@ include("head.inc"); $acls = get_frontend_acls($frontend); $isaclset = ""; foreach ($acls as $acl) { - $isaclset .= " " . $acl['descr']; + $isaclset .= " " . htmlspecialchars($acl['descr']); } if ($frontend['ssloffloadacl']) $isaclset .= " " . "Certificate ACL"; @@ -178,7 +178,7 @@ include("head.inc"); echo ""; $isadvset = ""; - if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: {$frontend['advanced_bind']}\r\n"; + if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: ".htmlspecialchars($frontend['advanced_bind'])."\r\n"; if ($frontend['advanced']) $isadvset .= "Advanced pass thru setting used\r\n"; if ($isadvset) echo ""; diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index 09af1c5b..39df82d1 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -149,8 +149,8 @@ if ($_POST) { $ports = split(",", $_POST['port'] . ","); foreach($ports as $port) - if ($port && !is_numeric($port)) - $input_errors[] = "The field 'Port' value is not a number."; + if ($port && !is_numeric($port) && !is_portoralias($port)) + $input_errors[] = "The field 'Port' value '".htmlspecialchars($port)."' is not a number or alias thereof."; if ($_POST['client_timeout'] !== "" && !is_numeric($_POST['client_timeout'])) $input_errors[] = "The field 'Client timeout' value is not a number."; @@ -245,6 +245,8 @@ $interfaces = haproxy_get_bindable_interfaces(); .haproxy_primary{} .haproxy_secondary{display:none;} + + @@ -253,7 +255,6 @@ $interfaces = haproxy_get_bindable_interfaces(); - Per server pass thru - ' size="64" /> + ' size="64" />
NOTE: paste text into this box that you would like to pass thru. Applied to each 'server' line. @@ -533,7 +529,7 @@ foreach($simplefields as $field){ Backend pass thru - +
NOTE: paste text into this box that you would like to pass thru. Applied to the backend section. -- cgit v1.2.3 From a84a84bf31ed33c7e132b704186a56b77cc9148a Mon Sep 17 00:00:00 2001 From: Renato Botelho Date: Tue, 18 Mar 2014 14:18:37 -0300 Subject: Fixup URLs: - Replace http by https - *.pfsense.com -> *.pfsense.org - www.pfsense.org/packages/config -> packages.pfsense.org/packages/config --- config/haproxy-devel/haproxy.inc | 2 +- config/haproxy-devel/haproxy.widget.php | 2 +- config/haproxy-devel/haproxy.xml | 28 ++++++++++++------------- config/haproxy-devel/haproxy_global.php | 2 +- config/haproxy-devel/haproxy_htmllist.inc | 2 +- config/haproxy-devel/haproxy_listeners.php | 2 +- config/haproxy-devel/haproxy_listeners_edit.php | 2 +- config/haproxy-devel/haproxy_pool_edit.php | 2 +- config/haproxy-devel/haproxy_pools.php | 2 +- config/haproxy-devel/haproxy_socketinfo.inc | 2 +- config/haproxy-devel/haproxy_stats.php | 2 +- config/haproxy-devel/haproxy_utils.inc | 2 +- 12 files changed, 25 insertions(+), 25 deletions(-) (limited to 'config/haproxy-devel') diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index bde2cace..1dd3332e 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -174,7 +174,7 @@ function haproxy_custom_php_install_command() { $freebsd_version = substr(trim(`uname -r`), 0, 1); if(!file_exists("/usr/bin/limits")) { - exec("fetch -q -o /usr/bin/limits http://files.pfsense.org/extras/{$freebsd_version}/limits"); + exec("fetch -q -o /usr/bin/limits https://files.pfsense.org/extras/{$freebsd_version}/limits"); exec("chmod a+rx /usr/bin/limits"); } diff --git a/config/haproxy-devel/haproxy.widget.php b/config/haproxy-devel/haproxy.widget.php index 7954e404..5d664e81 100644 --- a/config/haproxy-devel/haproxy.widget.php +++ b/config/haproxy-devel/haproxy.widget.php @@ -3,7 +3,7 @@ Copyright (C) 2013 PiBa-NL Copyright 2011 Thomas Schaefer - Tomschaefer.org Copyright 2011 Marcello Coutinho - Part of pfSense widgets (www.pfsense.com) + Part of pfSense widgets (www.pfsense.org) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml index bf1430b8..5c534522 100644 --- a/config/haproxy-devel/haproxy.xml +++ b/config/haproxy-devel/haproxy.xml @@ -67,72 +67,72 @@ /usr/local/pkg/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy.inc + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.inc /usr/local/www/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_listeners.php + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_listeners.php /usr/local/www/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_listeners_edit.php + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_listeners_edit.php /usr/local/www/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_global.php + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_global.php /usr/local/www/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_pools.php + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_pools.php /usr/local/www/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_pool_edit.php + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_pool_edit.php /usr/local/www/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_stats.php + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_stats.php /usr/local/pkg/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_socketinfo.inc + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_socketinfo.inc /usr/local/pkg/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc /usr/local/pkg/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_htmllist.inc + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_htmllist.inc /usr/local/pkg/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy_utils.inc + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_utils.inc /usr/local/www/widgets/widgets/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/haproxy.widget.php + https://packages.pfsense.org/packages/config/haproxy-devel/haproxy.widget.php /usr/local/www/shortcuts/ 0755 - http://www.pfsense.org/packages/config/haproxy-devel/pkg_haproxy.inc + https://packages.pfsense.org/packages/config/haproxy-devel/pkg_haproxy.inc /usr/local/pkg/ 077 - http://www.pfsense.com/packages/config/haproxy-devel/pkg_haproxy_tabs.inc + https://packages.pfsense.org/packages/config/haproxy-devel/pkg_haproxy_tabs.inc diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index 4e8a5e40..5e4d96eb 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool.php,v 1.5.2.6 2007/03/02 23:48:32 smos Exp $ */ /* haproxy_global.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich Copyright (C) 2008 Remco Hoef diff --git a/config/haproxy-devel/haproxy_htmllist.inc b/config/haproxy-devel/haproxy_htmllist.inc index 2e93ca2a..ae46ffd4 100644 --- a/config/haproxy-devel/haproxy_htmllist.inc +++ b/config/haproxy-devel/haproxy_htmllist.inc @@ -1,7 +1,7 @@ Copyright (C) 2008 Remco Hoef diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index 3ea72274..2a9ac6b7 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ /* haproxy_listeners_edit.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2009 Scott Ullrich Copyright (C) 2008 Remco Hoef Copyright (C) 2013 PiBa-NL merging (some of the) "haproxy-devel" changes from: Marcello Coutinho diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php index 9b64df87..e546af22 100644 --- a/config/haproxy-devel/haproxy_pool_edit.php +++ b/config/haproxy-devel/haproxy_pool_edit.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_pool_edit.php,v 1.24.2.23 2007/03/03 00:07:09 smos Exp $ */ /* haproxy_pool_edit.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich Copyright (C) 2008 Remco Hoef diff --git a/config/haproxy-devel/haproxy_pools.php b/config/haproxy-devel/haproxy_pools.php index 01655006..15567807 100644 --- a/config/haproxy-devel/haproxy_pools.php +++ b/config/haproxy-devel/haproxy_pools.php @@ -2,7 +2,7 @@ /* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */ /* haproxy_pools.php - part of pfSense (http://www.pfsense.com/) + part of pfSense (https://www.pfsense.org/) Copyright (C) 2013 PiBa-NL Copyright (C) 2009 Scott Ullrich Copyright (C) 2008 Remco Hoef diff --git a/config/haproxy-devel/haproxy_socketinfo.inc b/config/haproxy-devel/haproxy_socketinfo.inc index 5c6e847d..6beb17c5 100644 --- a/config/haproxy-devel/haproxy_socketinfo.inc +++ b/config/haproxy-devel/haproxy_socketinfo.inc @@ -3,7 +3,7 @@ Copyright (C) 2013 PiBa-NL Copyright 2011 Thomas Schaefer - Tomschaefer.org Copyright 2011 Marcello Coutinho - Part of pfSense widgets (www.pfsense.com) + Part of pfSense widgets (www.pfsense.org) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/config/haproxy-devel/haproxy_stats.php b/config/haproxy-devel/haproxy_stats.php index 752bd8d7..cbf5b2b2 100644 --- a/config/haproxy-devel/haproxy_stats.php +++ b/config/haproxy-devel/haproxy_stats.php @@ -1,7 +1,7 @@